|Subject:||RE: [xacml] Attribute validation|
|From:||Hal Lockhart (hal....@oracle.com)|
|Date:||Nov 6, 2008 7:03:10 am|
Well the IGF (which we are in favor of, obviously) solves part of the problem, but at the moment it only covers Subject Attributes. This is an area we are actively pursuing inside and outside the TC.
-----Original Message----- From: sam...@symlabs.com [mailto:sam...@symlabs.com] Sent: Friday, October 31, 2008 12:09 PM To: Anil Tappetla (atappetl) Cc: sam...@symlabs.com; xac...@lists.oasis-open.org Subject: RE: [xacml] Attribute validation
Anil Tappetla (atappetl) wrote:
As a related strand - how does the PEP determine what attributes it must pass in a request to the PDP ? For apparently, the applicability of policies may vary with what attributes are present in the request.
The Liberty Alliance Identity Governance Framework (IGF) provides perfect solution for this. Each party, here PDP, declares formally what attributes it needs and other parties (PEP) can be configured to match in more or less automatic way.
-----Original Message----- From: sam...@symlabs.com [mailto:sam...@symlabs.com] Sent: Friday, October 31, 2008 7:07 PM To: Anil Tappetla (atappetl) Cc: xac...@lists.oasis-open.org; sam...@symlabs.com Subject: Re: [xacml] Attribute validation
Anil Tappetla (atappetl) wrote:
Assuming the PEP uses digital signatures in SAML wrapped XACML (or for
that matter SSL) as a means to authenticate with the PDP and to protect the integrity of the request, would it ever be a possible case
where the attributes in the request have not been validated as legitimate by the PEP ? The signature only establishes the authenticity and integrity, but the requestor makes no claims about the validity of the attributes. In such cases, should not the PDP make
these validations in order to circumvent a possible security attack ?
There is not much point in PEP supplying attributes if it does not guarantee their authenticity. If PEP is unable to supply authentic attributes, then PDP/PIP would be better off obtaining the attributes directly from the authorative source rather than "validate".
I can see a situation where user lands to PEP using SSO that passes some attributes from IdP. The SSO a7n is signed so authenticity of attributes can be validated by checking the signature. However, generally the signature can only be checked by PEP and will not be visible to PDP. Thus PEP unwraps the attributes and then vouches their authenticity to the PDP. It would be nice if the IdP signature was not lost and could be passed to the PDP so PDP would be trusting the IdP rather than PEP.
While it would be possible to sign the a7n in such a way that the attribute statement could be extracted without breaking the signature, the XACML attribute formatting is different. Perhaps XACML should use SAML Attribute Statements as the format for attributes? Barring that, the only way I can see this could be done right now is to pass at XACML layer one big attribute whose contents would be the signed a7n or attribute statement.
--------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php